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Abstract. This paper clarifies the method described in our previous 
paper (DOI: 978-3-319-02726-5_21), namely rainbow distinguished point 
method, and give revised theoretical and experimental results which 
shows rainbow distinguished point method behaves interiorly to other 
time memory tradeoff methods. 
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1 Introduction 

Time memory tradeoff algorithm is introduced by Heilman in 1980s [5]. It is a 
generic method to invert one-way functions and is useful in symmetric cipher 
design and analysis. After that, a lot of work has been done to improve the 
efficiency of time memory tradeoff algorithms, such as perfect tables and distin¬ 
guished point method. Rainbow tradeoff, introduced by Oechslin at CRYPTO 
2003, is the most widely known method, which applies to crack various password 
based systems [3]. 

Distinguished point method is put forward by Rivest to reduce the time 
required to access pre-computed tables. Our previous paper ([5]) presented a 
combination of DP method and rainbow tradeoff, called rainbow distinguished 
point method. It used a rather rough approximation of rhi. It shows that rainbow 
distinguished point method is NOT recommended compared to other TMTO 
algorithms. 

This paper give a full description of the offline and online phase of rainbow 
distinguished point method. With a more accurate analysis, we show how to 
hnd optimal parameters and that rainbow distinguished point method behaves 
interiorly to other time memory tradeoff methods. As a matter of fact, recent 
works on this subject m have shown that the rainbow fuzzy tradeoff (another 
combination of DP method and rainbow tradeoff) performs the best among all 
existing tradeoff algorithms. 

The rest of this paper are as follows. We first give a full description of the 
offline phase and online phase of rainbow distinguished point method. Then 
we theoretically analyze the tradeoff curve and show how to choose optimal 
parameters. In the last, we present experimental results and make a comparison 
with some of the existing tradeoff algorithms. 


2 Description of Rainbow Distinguished Point Method 


The procedure of rainbow distinguished point method consists of the offline 
phase and online phase. 


2.1 Offline phase 

Fix a distinguished property, and the probability of a random selected x G J\f to 
be a distinguished point is 1/t. We refer to t as the chain length. In general, the 
distinguished points set 

C = {x\xgN' and MSBfc(a;) = 0 }, 

where MSBfe(x) denote the first k bits of x, i.e. t = 2^. A chain length bound 
t = ct is set to discard any chain exceeds a maximum chain length. During the 
offline phase, I pre-computed tables consisting of m pre-computed chains are 
constructed. Every column of all pre-computed tables uses a different reduction 
function. We denote the s-th column of the i-th table by (0<i<Z — 1, 1< 
s <t ) and Ti^siy) is defined as 


ri,s{y) ■= {y + it -f s) mod N. 
We take fi^s = ° f for short. For the i-th table, 


1. Randomly select mo different starting points SPi^i, SPi, 2 , SPi^mo- 

2. Construct pre-computed chains from every starting points. For exam- 

plethe j { I < j < iv-o ) chain = SPi^; For s = 1, 2, ■••compute 

and ^],g+i = n,s(Yl^) = /i,g(X] J iteratively. The pre¬ 
computed chain continue to compute until some distinguished point appears. 
Denote the ending points by EP^^j. If the pre-computed chain exceeds the 
maximum length t before arriving at some distinguished point, then we 
discard this pre-computed chain and continue to compute the next chain. 

3. We construct tuq pre-computed chains, which comprises a pre-computed 
matrix. 

4. The tuple of starting points, ending points and the corresponding chain 
length ( SPij^leriij^FiPij ) ( 1 < J < mo ) of mo chains are sorted 
according the chain length (or the ending points) and stored as the i-th 
pre-computed table. 


2.2 Online phase 

During the online phase, the I pre-computed tables are searched in parallel (as 
depicted in Alg. [T]). 

A pre-image of y* can be found during the online phase only if y* appears in 
the pre-computed matrix. The probability of the online phase is called the success 



Algorithm 1 online searching algorithm of rainbow distinguished point method 
Require: y* £ J\f The expression or description of / ; 

Number of pre-computed tables, number of chains in each table, chain length t , 
chain length bound t; 

Distinguished points set C; 

Pre-computed tables: ; 

Ensure: Success: x* satisfying fix*) = y*■ Or failure. 
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for s = 1 to i do 
for i = 1 to Z do 
q <r- 

for fc = s to 1 do 

q ^ fi,i-k{q) 

if q G C then 

Search q among the ending points of chains with length ( t — fc -|- 1 ) 
in the i-th table; 

for j € {j I Zen(i, j)equals( t — fc + 1 )andgequals EPij} do 

X = SPij; 

for u = 1 to t — s do 
X G- fi,uix); 

end for 

if f{x) equals y* then 
X* <— X', 

return Success; 
end if 
end for 
end if 
end for 
end for 
end for 
retnrn Failure; 


probability of rainbow distinguished point method. An execution of the outer 
loop s is called the s-th (online) iterating search. If q appears as a ending point 
of a pre-computed table, we say an alarm happens. Furthermore if q appears as 
a ending point of a pre-computed table, and the pre-image is NOT found after 
regenerating the pre-computed chain, way say a false alarm happens. 


3 Optimizing the Tradeoff Parameters 

3.1 Theoretical Analysis 

Denote by fho the number of random selected starting points. Denote by fhi (or 
rrii) the number of different elements in the i-th column of the pre-computed ma¬ 
trix, with Too (or toq) lines, before (or after) removing the chains not arriving at 
distinguished points. Denote by Dpc = motl/N the pre-computation coefficient. 







Lemma 1. Let H = 2/(2 + Then 


moH 


ei -{1-H) 

= TOi • (1 - 


where c = t/t. 


Proof. The probability of the elements in the i-th column to be a distinguished 
point is j. Thus 


m.+i=iV(l-(l-lr(i-T)) 


= N 




N 


2N^ 


■ rrii - 


rUi 


2N' 


Discard the terms of order less than mi/t, then it turns out that 


„ _ rui mf 

— m,- =-. 

+ t 2N 

Solve the differential equation 

d ffii fhi ml 

d i t 2N ’ 

and let i? = 2/(2 + then we have 


mi = 


m^H 

ei -{l-H) 


The probability that the fhi different elements of the Tth column can NOT 
arrive at distinguished points after i — i more iterations is 1 — (1 — l/t)*“®. 
After discarding the chains not arriving at distinguished points, the number of 
different elements in the i-th column in a pre-computed matrix is 

mi = fhi{l - (1 - *) « fhi • (1 - 


This completes the proof. 


□ 


Lemma 2. During the online phase, I pre-computed tables are processed in par¬ 
allel. The probability of failure after the first k iterating search, i.e. the probability 
of the k + 1-th iterating search to be executed, is 


Pk = exp 


motlH r 1 - e“-'= 

N ■ Jc-k/t e'^-{l-H) 










And the success probability is 


p=l — Pf = l — exp 


motlH 

N 



1 - 

e“ - (1 - H) 



Proof. For a random function /, we treat the columns of the pre-computed 
matrix as independent, i.e. all the different elements in every column are inde¬ 
pendent. Then 


k-l 


k-1 


Pk = 


=na-^)'-n 


=exp(- (1) 


And 


k-l 


t-1 


t-1 




m^H 


motH 


2=;t —fc+1 i — t — 

r 1 - 


et -{l-H) 


(1 - 


Ic-k/t e^-{l-H) 


du. 


Substitute it into Eq. [T] and we reach the claim after some simplification. 

The probability of failure is the probability of NOT finding a pre-image after 
t iterating search. Thus the success probability is 


1 — Pf = 1 — exp 


niotlH 

N 



1 - 

e“ - (1 - H) 



This completes the proof. □ 

Denote by Efa{i) the expected number of false alarms during the i-th iterat¬ 
ing search. Note that when online chain merges with multiple pre-computed 
chains, all these pre-computed chains need to be regenerated. Thus all pre¬ 
computed chains can be treated as independent. 

It is expected that there are mo(l ~ chains of length j in every 

pre-computed table, and the probability that a pre-computed chain of length j 
merges with an online chain of length i is 


1 - (1 - 


j - ji - i) 

N 


So, 


jr (■\ ~ (^ j ~ ~ y 

Efaiy = 2^ "io(i - -y -■ 


j=t-i+l 


N 

1 , 


= ^1(1 -^ (1 - (1 -- y - jr‘)i, 


which simplifies to 


mote ° 


• (e*/‘ - 


i 

t 


i). 


Efa{i) 


N 














To deal with every false alarms during the i-th iterating search, (t—i+l) function 
invocations are needed. Then the online time (denoted by number of function 
invocations) 


T = - 1) + {i - i + 1) ■ Efa{i)] • Pi-i 


+ 


motl{c — v)e 
N 


-(e’' — 1 — u)]exp( — 


= f 


motlH 
N 

DpcH 


1-e" 


j [iv + DpcC ^(c - u)(e" - 1 - u)] exp ' j 


e“ - (1 - H) 
1 - e“-° 


du I dv 


e“ - (1 - H) 


duj dv. 

( 2 ) 


The memory needed to store pre-computed tables is M = Imo- Then the tradeoff 
coefficient of rainbow distinguished point method is 


Dtcr = TM^N^ 

pc / D M ^ _ pU—c \ 

- u)(e^ - 1 - u)]exp^- ^ • J 

(3) 

where Dpc = motl/N is the pre-computation coefficient of rainbow distinguished 
point method. 


3.2 Parameter Optimization 

We treat the number of pre-computation tables as discrete numbers. Using nu¬ 
merical method we compute the optimal parameter set, which minimize the 
tradeoff coefficient (as shown in Table [T]), when the expected pre-computation 
coefficient and success probability are specified. 

For example, if a pre-computation time of 3.5N function invocations is ex¬ 
pected, to achieve the success probability of 75%, it is best to pre-compute 2 
rainbow distinguished point table with maximum chain length of 1.33t. The 
expected tradeoff coefficient is 14.6280. 

The italic numbers in the table give optimal parameters, which does NOT 
achieve better tradeoff efficiency with more pre-computed time, due to the fact 
that the improvement of online time does not neutralize the efficiency reduction 
of more memory cost. 

3.3 Experiment 

We use a truncated version of MD5 to verify our results. We set the search space 
N = 2^^, number of chains mg = 262144, chain length t = 512, number of tables 
I = 1 and maximum chain length t = 1.8t. 

During the pre-computation phase the number of function invocations is 
6.69W (theoretically 6.68W). The pre-computed table contains 219083 (theo¬ 
retically 218812) pre-computed chains. During the onlie phase, we tested 3000 









Table 1. Success probability, maximum chain length, pre-computation coefficient and 
tradeoff coefficient of rainbow distinguished point method 


1 

P 

Dpc 

c 

Dtcr 

1 

P 

Dpc 

C 

Dtcr 

1 

0.6008 

2.5 

1.35 

4.6907 

1 

0.5997 

3 

1.12 

4.6395 

1 

0.6506 

2.5 

1.66 

7.0548 

1 

0.6505 

3 

1.36 

6.8033 

1 

0.6997 

2.5 

2.1 

11.2609 

1 

0.7004 

3 

1.68 

10.3554 

1 

0.7507 

2.5 

2.9 

21.4945 

2 

0.7504 

3 

1.59 

15.4773 

2 

0.8003 

2.5 

2.75 

32.2432 

2 

0.8006 

3 

2.04 

24.9292 

1 

0.6507 

3.5 

1.17 

6.8485 

1 

0.7004 


1.25 

10.1937 

1 

0.6997 

3.5 

1.42 

10.0658 

1 

0.7511 


1.55 

15.7085 

2 

0.7506 

3.5 

1.33 

14.6280 

2 

0.8002 

4 

2 

21.0761 

2 

0.8002 

3.5 

1.66 

22.2033 

2 

0.8502 

4 

1.84 

34.5087 

2 

0.8500 

3.5 

2.21 

38.5838 

3 

0.9006 

4 

2.23 

66.9477 

a 

0.7016 

4.5 

0.86 

10.3470 

2 

0.7516 

5 

0.93 

14.4699 

2 

0.7520 

4.5 

1.03 

14.3916 

2 

0.7993 

5 

1.12 

20.3680 

2 

0.8001 

4.5 

1.25 

20.5882 

2 

0.8506 

5 

1.42 

31.7488 

2 

0.8509 

4.5 

1.60 

32.7822 

3 

0.9005 

5 

1.64 

54.9546 

3 

0.8999 

4.5 

1.87 

58.5550 

4 

0.9499 

5 

2.34 

133.1831 

2 

0.7989 

5.5 

1.02 

20.4230 

2 

0.8508 

6 

1.18 

31.4500 

2 

0.8498 

5.5 

1.28 

31.1537 

3 

0.9006 

6 

1.33 

51.3959 

3 

0.9000 

5.5 

1.46 

52.3366 

4 

0.9497 

6 

1.79 

108.2289 

4 

0.9498 

5.5 

2.02 

117.5015 

- 

- 

- 

- 

- 

4 

0.9799 

10 

1.48 

183.2010 

6 

0.9901 

10 

1.64 

281.7218 

7 

0.9899 

15 

1.00 

254.6985 

- 

- 

- 

- 

- 


random images. The average number of function invocations is 399804 (theo¬ 
retically 394023). The success probability is approximately 87.6% (theoretically 
87.4%). The average number of false alarms is 511 (theoretically 505). 

3.4 Comparison 

Fixing a same pre-computed time and success probability, we compare the op¬ 
timized tradeoff efficiency of rainbow distinguished point method with Heilman 
method, (Heilman) distinguished point method and rainbow method. See Ta¬ 
ble [2] We can see that rainbow distinguished point method does NOT bring us 
better tradeoff efficiency. 
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Table 2. Comparison of rainbow distinguished point method with other methods 


Time memory tradeoff 
algorithms 

Success 

probability 

pre-computation 

coefficient 
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3 
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TM'^ = 7.17N'‘‘ 

Rainbow method 

P = 90% 

2.8068 

TM'^ = d.eSAb" 
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TM'^ = 66.95N'^ 
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